Example 1: Multiple Mode Firewall With Outside Access

This configuration creates three security contexts plus the admin context, each with an inside and an outside interface. The Customer C context includes a DMZ interface where a Websense server for HTTP filtering resides on the service provider premises (see Figure B-1).

Inside hosts can access the Internet through the outside using dynamic NAT or PAT, but no outside hosts can access the inside.

The Customer A context has a second network behind an inside router.

The admin context allows SSH sessions to the security appliance from one host.

Although inside IP addresses can be the same across contexts when the interfaces are unique, keeping them unique is easier to manage.

Example 1: System Configuration

You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode.

hostname Farscape

password passw0rd

enable password chr1cht0n

mac-address auto

asdm image disk0:/asdm.bin

boot system disk0:/image.bin

admin-context admin

interface gigabitethernet 0/0

shutdown

interface gigabitethernet 0/0.3

vlan 3

no shutdown

interface gigabitethernet 0/1

no shutdown

interface gigabitethernet 0/1.4

vlan 4

no shutdown

interface gigabitethernet 0/1.5

vlan 5

no shutdown

interface gigabitethernet 0/1.6

vlan 6

no shutdown

interface gigabitethernet 0/1.7

vlan 7

no shutdown

interface gigabitethernet 0/1.8

vlan 8

no shutdown

class gold

limit-resource rate conns 2000

limit-resource conns 20000

class silver

limit-resource rate conns 1000

limit-resource conns 10000

class bronze

limit-resource rate conns 500

limit-resource conns 5000

context admin

allocate-interface gigabitethernet 0/0.3

allocate-interface gigabitethernet 0/1.4

config-url disk0://admin.cfg

member default

context customerA

description This is the context for customer A

allocate-interface gigabitethernet 0/0.3

allocate-interface gigabitethernet 0/1.5

config-url disk0://contexta.cfg

member gold

context customerB

description This is the context for customer B

allocate-interface gigabitethernet 0/0.3

allocate-interface gigabitethernet 0/1.6

config-url disk0://contextb.cfg

member silver

context customerC

description This is the context for customer C

allocate-interface gigabitethernet 0/0.3

allocate-interface gigabitethernet 0/1.7-gigabitethernet 0/1.8

config-url disk0://contextc.cfg

member bronze

Example 1: Admin Context Configuration

The host at 10.1.1.75 can access the context using SSH, which requires a key to be generated using the crypto key generate command.

hostname Admin

domain isp

interface gigabitethernet 0/0.3

nameif outside

security-level 0

ip address 209.165.201.2 255.255.255.224

no shutdown

interface gigabitethernet 0/1.4

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

no shutdown

passwd secret1969

enable password h1andl0

route outside 0 0 209.165.201.1 1

ssh 10.1.1.75 255.255.255.255 inside

nat (inside) 1 10.1.1.0 255.255.255.0

! This context uses dynamic NAT for inside users that access the outside

global (outside) 1 209.165.201.10-209.165.201.29

! The host at 10.1.1.75 has access to the Websense server in Customer C, so

Example 2: Single Mode Firewall Using Same Security Level

This configuration creates three internal interfaces. Two of the interfaces connect to departments that are on the same security level, which allows all hosts to communicate without using access lists. The DMZ interface hosts a Syslog server. The management host on the outside needs access to the Syslog server and the security appliance. To connect to the security appliance, the host uses a VPN connection. The security appliance uses RIP on the inside interfaces to learn routes. The security appliance does not advertise routes with RIP; the upstream router needs to use static routes for security appliance traffic (see Figure B-2).

The Department networks are allowed to access the Internet, and use PAT.

Figure B-2 Example 2

passwd g00fba11

enable password gen1u$

hostname Buster

asdm image disk0:/asdm.bin

boot system disk0:/image.bin

interface gigabitethernet 0/0

nameif outside

security-level 0

ip address 209.165.201.3 255.255.255.224

no shutdown

interface gigabitethernet 0/1

nameif dept2

security-level 100

ip address 10.1.2.1 255.255.255.0

mac-address 000C.F142.4CDE standby 000C.F142.4CDF

no shutdown

rip authentication mode md5

rip authentication key scorpius key_id 1

interface gigabitethernet 0/2

nameif dept1

security-level 100

ip address 10.1.1.1 255.255.255.0

no shutdown

interface gigabitethernet 0/3

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

no shutdown

same-security-traffic permit inter-interface

route outside 0 0 209.165.201.1 1

nat (dept1) 1 10.1.1.0 255.255.255.0

nat (dept2) 1 10.1.2.0 255.255.255.0

! The dept1 and dept2 networks use PAT when accessing the outside

global (outside) 1 209.165.201.9 netmask 255.255.255.255

! Because we perform dynamic NAT on these addresses for outside access, we need to perform

! NAT on them for all other interface access. This identity static statement just

! translates the local address to the same address.

static (dept1,dept2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (dept2,dept1) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

! The syslog server uses a static translation so the outside management host can access

Example 3: Shared Resources for Multiple Contexts

This configuration includes multiple contexts for multiple departments within a company. Each department has its own security context so that each department can have its own security policy. However, the syslog, mail, and AAA servers are shared across all departments. These servers are placed on a shared interface (see Figure B-3).

Department 1 has a web server that outside users who are authenticated by the AAA server can access.

Example 3: System Configuration

You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode.

hostname Ubik

password pkd55

enable password deckard69

asdm image disk0:/asdm.bin

boot system disk0:/image.bin

mac-address auto

admin-context admin

interface gigabitethernet 0/0

no shutdown

interface gigabitethernet 0/0.200

vlan 200

no shutdown

interface gigabitethernet 0/1

shutdown

interface gigabitethernet 0/1.201

vlan 201

no shutdown

interface gigabitethernet 0/1.202

vlan 202

no shutdown

interface gigabitethernet 0/1.300

vlan 300

no shutdown

context admin

allocate-interface gigabitethernet 0/0.200

allocate-interface gigabitethernet 0/1.201

allocate-interface gigabitethernet 0/1.300

config-url disk0://admin.cfg

context department1

allocate-interface gigabitethernet 0/0.200

allocate-interface gigabitethernet 0/1.202

allocate-interface gigabitethernet 0/1.300

config-url ftp://admin:passw0rd@10.1.0.16/dept1.cfg

context department2

allocate-interface gigabitethernet 0/0.200

allocate-interface gigabitethernet 0/1.203

allocate-interface gigabitethernet 0/1.300

config-url ftp://admin:passw0rd@10.1.0.16/dept2.cfg

Example 3: Admin Context Configuration

hostname Admin

interface gigabitethernet 0/0.200

nameif outside

security-level 0

ip address 209.165.201.3 255.255.255.224

no shutdown

interface gigabitethernet 0/0.201

nameif inside

security-level 100

ip address 10.1.0.1 255.255.255.0

no shutdown

interface gigabitethernet 0/0.300

nameif shared

security-level 50

ip address 10.1.1.1 255.255.255.0

no shutdown

passwd v00d00

enable password d011

route outside 0 0 209.165.201.2 1

nat (inside) 1 10.1.0.0 255.255.255.0

! This context uses PAT for inside users that access the outside

global (outside) 1 209.165.201.6 netmask 255.255.255.255

! This context uses PAT for inside users that access the shared network

global (shared) 1 10.1.1.30

! Because this host can access the web server in the Department 1 context, it requires a

Example 4: System Configuration

You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode.

firewall transparent

hostname Farscape

password passw0rd

enable password chr1cht0n

asdm image disk0:/asdm.bin

boot system disk0:/image.bin

admin-context admin

interface gigabitethernet 0/0

no shutdown

interface gigabitethernet 0/0.150

vlan 150

no shutdown

interface gigabitethernet 0/0.151

vlan 151

no shutdown

interface gigabitethernet 0/0.152

vlan 152

no shutdown

interface gigabitethernet 0/0.153

vlan 153

no shutdown

interface gigabitethernet 0/1

shutdown

interface gigabitethernet 0/1.4

vlan 4

no shutdown

interface gigabitethernet 0/1.5

vlan 5

no shutdown

interface gigabitethernet 0/1.6

vlan 6

no shutdown

interface gigabitethernet 0/1.7

vlan 7

no shutdown

interface management 0/0

no shutdown

context admin

allocate-interface gigabitethernet 0/0.150

allocate-interface gigabitethernet 0/1.4

allocate-interface management 0/0

config-url disk0://admin.cfg

context customerA

description This is the context for customer A

allocate-interface gigabitethernet 0/0.151

allocate-interface gigabitethernet 0/1.5

config-url disk0://contexta.cfg

context customerB

description This is the context for customer B

allocate-interface gigabitethernet 0/0.152

allocate-interface gigabitethernet 0/1.6

config-url disk0://contextb.cfg

context customerC

description This is the context for customer C

allocate-interface gigabitethernet 0/0.153

allocate-interface gigabitethernet 0/1.7

config-url disk0://contextc.cfg

Example 4: Admin Context Configuration

The host at 10.1.1.75 can access the context using SSH, which requires a key pair to be generated using the crypto key generate command.

hostname Admin

domain isp

interface gigabitethernet 0/0.150

nameif outside

security-level 0

no shutdown

interface gigabitethernet 0/1.4

nameif inside

security-level 100

no shutdown

interface management 0/0

nameif manage

security-level 50

ip address 10.2.1.1 255.255.255.0

no shutdown

passwd secret1969

enable password h1andl0

ip address 10.1.1.1 255.255.255.0

route outside 0 0 10.1.1.2 1

ssh 10.1.1.75 255.255.255.255 inside

access-list OSPF remark -Allows OSPF

access-list OSPF extended permit 89 any any

access-group OSPF in interface outside

Example 4: Customer A Context Configuration

interface gigabitethernet 0/0.151

nameif outside

security-level 0

no shutdown

interface gigabitethernet 0/1.5

nameif inside

security-level 100

no shutdown

passwd hell0!

enable password enter55

ip address 10.1.2.1 255.255.255.0

route outside 0 0 10.1.2.2 1

access-list OSPF remark -Allows OSPF

access-list OSPF extended permit 89 any any

access-group OSPF in interface outside

Example 4: Customer B Context Configuration

interface gigabitethernet 0/0.152

nameif outside

security-level 0

no shutdown

interface gigabitethernet 0/1.6

nameif inside

security-level 100

no shutdown

passwd tenac10us

enable password defen$e

ip address 10.1.3.1 255.255.255.0

route outside 0 0 10.1.3.2 1

access-list OSPF remark -Allows OSPF

access-list OSPF extended permit 89 any any

access-group OSPF in interface outside

Example 4: Customer C Context Configuration

interface gigabitethernet 0/0.153

nameif outside

security-level 0

no shutdown

interface gigabitethernet 0/1.7

nameif inside

security-level 100

no shutdown

passwd fl0wer

enable password treeh0u$e

ip address 10.1.4.1 255.255.255.0

route outside 0 0 10.1.4.2 1

access-list OSPF remark -Allows OSPF

access-list OSPF extended permit 89 any any

access-group OSPF in interface outside

Example 5: WebVPN Configuration

This configuration shows the commands needed to create WebVPN connections to the security appliance.

WebVPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTP(S) Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.

Step 1 Configure the security appliance for WebVPN.

webvpn

! WebVPN sessions are allowed on the outside and dmz1 interfaces, ASDM is not allowed.

enable outside

enable dmz161

title-color green

secondary-color 200,160,0

text-color black

default-idle-timeout 3600

! The NetBios Name server used for CIFS resolution.

nbns-server 172.31.122.10 master timeout 2 retry 2

accounting-server-group RadiusACS1

! WebVPN sessions are authenticated to a RADIUS aaa server.

authentication-server-group RadiusACS2

Step 2 You must enable WebVPN access lists to be enforced on a group-policy or user policy. The access lists are defined with the filtervalue and functionscommands in the group or user configuration.

Step 3 You can configure a list of pre-configured URLs presented on the WebVPN user's home page after login, which are defined per user or per group.

url-list HomeURL "Sales" https://sales.example.com

url-list HomeURL "VPN3000-1" http://vpn3k-1.example.com

url-list HomeURL "OWA-2000" http://10.160.105.2/exchange

url-list HomeURL "Exchange5.5" http://10.86.195.113/exchange

url-list HomeURL " Employee Benefits" http://benefits.example.com

url-list HomeURL "Calendar" http://http://eng.example.com/cal.html

Step 4 Configure a list of non-web TCP applications that will be port-forwarded over WebVPN and enforced per user or per group-policy. These are defined globally but can be enforced per user or per group-policy.

port-forward Apps1 4001 10.148.1.81 telnet term-servr

port-forward Apps1 4008 router1-example.com ssh

port-forward Apps1 10143 flask.example.com imap4

port-forward Apps1 10110 flask.example.com pop3

port-forward Apps1 10025 flask.example.com smtp

port-forward Apps1 11533 sametime-im.example.com 1533

port-forward Apps1 10022 secure-term.example.com ssh

port-forward Apps1 21666 tuscan.example.com 1666 perforce-f1

port-forward Apps1 1030 sales.example.com https

Step 5 Configure the policy attributes enforced for users of the SSLVPNusers group-policy.

Step 6 Next, configure the interface(s) where ASDM and WebVPN HTTPS sessions will terminate. Note that The security appliance can support both WebVPN and an ASDM administrative session simultaneously on the same interface. To do so, you must assign different port numbers to these functions.

Example 8: LAN-Based Active/Standby Failover (Routed Mode)

Figure B-7 shows the network diagram for a failover configuration using an Ethernet failover link. The units are configured to detect unit failures and to fail over in under a second (see the failover polltime unit command in the primary unit configuration).

Example 9: Primary Unit Configuration

Example 9: Primary System Configuration

You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode.

hostname ciscopix

enable password farscape

password crichton

asdm image flash:/asdm.bin

boot system flash:/cdisk.bin

mac-address auto

interface Ethernet0

description LAN/STATE Failover Interface

interface Ethernet1

no shutdown

interface Ethernet2

no shutdown

interface Ethernet3

no shutdown

interface Ethernet4

no shutdown

interface Ethernet5

no shutdown

interface Ethernet6

no shutdown

interface Ethernet7

no shutdown

interface Ethernet8

no shutdown

interface Ethernet9

no shutdown

failover

failover lan unit primary

failover lan interface folink Ethernet0

failover link folink Ethernet0

failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11

failover group 1

primary

preempt

failover group 2

secondary

preempt

admin-context admin

context admin

description admin

allocate-interface Ethernet1

allocate-interface Ethernet2

config-url flash:/admin.cfg

join-failover-group 1

context ctx1

description context 1

allocate-interface Ethernet3

allocate-interface Ethernet4

config-url flash:/ctx1.cfg

join-failover-group 2

Example 9: Primary admin Context Configuration

enable password frek

password elixir

hostname admin

interface Ethernet1

nameif outside

security-level 0

ip address 192.168.5.101 255.255.255.0 standby 192.168.5.111

interface Ethernet2

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0 standby 192.168.0.11

monitor-interface outside

monitor-interface inside

route outside 0.0.0.0 0.0.0.0 192.168.5.1 1

ssh 192.168.0.2 255.255.255.255 inside

Example 9: Primary ctx1 Context Configuration

enable password quadrophenia

password tommy

hostname ctx1

interface Ethernet3

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0 standby 192.168.20.11

interface Ethernet4

nameif outside

security-level 0

ip address 192.168.10.31 255.255.255.0 standby 192.168.10.41

asr-group 1

access-list 201 extended permit ip any any

access-group 201 in interface outside

logging enable

logging console informational

monitor-interface inside

monitor-interface outside

route outside 0.0.0.0 0.0.0.0 192.168.10.71 1

Example 9: Secondary Unit Configuration

You only need to configure the secondary security appliance to recognize the failover link. The secondary security appliance obtains the context configurations from the primary security appliance upon booting or when failover is first enabled. The preempt commands in the failover group configurations cause the failover groups to become active on their designated unit after the configurations have been synchronized and the preempt delay has passed.

failover

failover lan unit secondary

failover lan interface folink Ethernet0

failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11

Example 10: Cable-Based Active/Standby Failover (Transparent Mode)

Figure B-6 shows the network diagram for a transparent mode failover configuration using a serial Failover cable. This configuration is only available on the PIX 500 series security appliance.

Figure B-9 Transparent Mode Cable-Based Failover Configuration

The following are the typical commands in a cable-based, transparent firewall failover configuration.

Example 11: LAN-Based Active/Standby Failover (Transparent Mode)

Figure B-7 shows the network diagram for a transparent mode failover configuration using an Ethernet failover link. The units are configured to detect unit failures and to fail over in under a second (see the failover polltime unit command in the primary unit configuration).

Example 12: LAN-Based Active/Active Failover (Transparent Mode)

The following example shows how to configure transparent mode Active/Active failover. In this example there are 2 user contexts, named admin and ctx1. Figure B-8 shows the network diagram for the example.

Example 12: Primary Unit Configuration

Example 12: Primary System Configuration

You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode.

firewall transparent

hostname ciscopix

enable password farscape

password crichton

asdm image flash:/asdm.bin

boot system flash:/cdisk.bin

mac-address auto

interface Ethernet0

description LAN/STATE Failover Interface

interface Ethernet1

no shutdown

interface Ethernet2

no shutdown

interface Ethernet3

no shutdown

interface Ethernet4

no shutdown

interface Ethernet5

no shutdown

interface Ethernet6

no shutdown

interface Ethernet7

no shutdown

interface Ethernet8

no shutdown

interface Ethernet9

no shutdown

failover

failover lan unit primary

failover lan interface folink Ethernet0

failover link folink Ethernet0

failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11

failover group 1

primary

preempt

failover group 2

secondary

preempt

admin-context admin

context admin

description admin

allocate-interface Ethernet1

allocate-interface Ethernet2

config-url flash:/admin.cfg

join-failover-group 1

context ctx1

description context 1

allocate-interface Ethernet3

allocate-interface Ethernet4

config-url flash:/ctx1.cfg

join-failover-group 2

Example 12: Primary admin Context Configuration

enable password frek

password elixir

hostname admin

interface Ethernet1

nameif outside

security-level 0

interface Ethernet2

nameif inside

security-level 100

ip address 192.168.5.31 255.255.255.0 standby 192.168.5.32

monitor-interface outside

monitor-interface inside

route outside 0.0.0.0 0.0.0.0 192.168.5.1 1

ssh 192.168.5.72 255.255.255.255 inside

Example 12: Primary ctx1 Context Configuration

enable password quadrophenia

password tommy

hostname ctx1

interface Ethernet3

nameif inside

security-level 100

interface Ethernet4

nameif outside

security-level 0

access-list 201 extended permit ip any any

access-group 201 in interface outside

logging enable

logging console informational

ip address 192.168.10.31 255.255.255.0 standby 192.168.10.32

monitor-interface inside

monitor-interface outside

route outside 0.0.0.0 0.0.0.0 192.168.10.1 1

Example 12: Secondary Unit Configuration

You only need to configure the secondary security appliance to recognize the failover link. The secondary security appliance obtains the context configurations from the primary security appliance upon booting or when failover is first enabled. The preempt commands in the failover group configurations cause the failover groups to become active on their designated unit after the configurations have been synchronized and the preempt delay has passed.

firewall transparent

failover

failover lan unit secondary

failover lan interface folink Ethernet0

failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11

Example 13: Dual ISP Support Using Static Route Tracking

This configuration shows a remote office using static route tracking to use a backup ISP route if the primary ISP route fails. The security appliance in the remote office uses ICMP echo requests to monitor the availability of the main office gateway. If that gateway becomes unavailable through the default route, the default route is removed from the routing table and the floating route to the backup ISP is used in its place.

Figure B-12 Dual ISP Support

passwd password1

enable password password2

hostname myfirewall

asdm image disk0:/asdm.bin

boot system disk0:/image.bin

!

interface gigabitethernet 0/0

nameif outside

security-level 0

ip address 10.1.1.2 255.255.255.0

no shutdown

!

interface gigabitethernet 0/1

description backup isp link

nameif backupisp

security-level 100

ip address 172.16.2.2 255.255.255.0

no shutdown

!

sla monitor 123

type echo protocol ipIcmpEcho 10.2.1.2 interface outside

num-packets 3

timeout 1000

frequency 3

sla monitor schedule 123 life forever start-time now

!

track 1 rtr 123 reachability

!

route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1

! The above route is used while the tracked object, router 10.2.1.2

! is available. It is removed when the router becomes unavailable.

!

route backupisp 0.0.0.0 0.0.0.0 172.16.2.1 254

! The above route is a floating static route that is added to the

! routing table when the tracked route is removed.

Example 14: ASA 5505 Base License

This configuration creates three VLANs: inside (business), outside (Internet), and home (see Figure B-13). Both the home and inside VLANs can access the outside, but the home VLAN cannot access the inside VLAN. The inside VLAN can access the home VLAN so both VLANs can share a printer. Because the outside IP address is set using DHCP, the inside and home VLANs use interface PAT when accessing the Internet.

Figure B-13 Example 13

passwd g00fba11

enable password gen1u$

hostname Buster

asdm image disk0:/asdm.bin

boot system disk0:/image.bin

interface vlan 2

nameif outside

security-level 0

ip address dhcp setroute

no shutdown

interface vlan 1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

no shutdown

interface vlan 3

! This interface cannot communicate with the inside interface. This is required using

! the Base license

no forward interface vlan 1

nameif home

security-level 50

ip address 192.168.2.1 255.255.255.0

no shutdown

interface ethernet 0/0

switchport access vlan 2

no shutdown

interface ethernet 0/1

switchport access vlan 1

no shutdown

interface ethernet 0/2

switchport access vlan 1

no shutdown

interface ethernet 0/3

switchport access vlan 3

no shutdown

interface ethernet 0/4

switchport access vlan 3

no shutdown

interface ethernet 0/5

switchport access vlan 3

no shutdown

interface ethernet 0/6

description PoE for IP phone1

switchport access vlan 1

no shutdown

interface ethernet 0/7

description PoE for IP phone2

switchport access vlan 1

no shutdown

nat (inside) 1 0 0

nat (home) 1 0 0

global (outside) 1 interface

! The previous NAT statements match all addresses on inside and home, so you need to

! also perform NAT when hosts access the inside or home networks (as well as the outside).
! Or you can exempt hosts from NAT for inside <--> home traffic, as effected by the

! If the link goes down for the primary ISP, either due to a hardware failure

! or unplugged cable, then this route will be used.

http server enable

http 192.168.1.0 255.255.255.0 inside

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd auto_config outside

dhcpd enable inside

logging asdm informational

ssh 192.168.1.0 255.255.255.0 inside

Example 15: Secondary Unit Configuration

You only need to configure the secondary security appliance to recognize the failover link. The secondary security appliance obtains the context configurations from the primary security appliance upon booting or when failover is first enabled.

Example 16: Network Traffic Diversion

The following configuration example shows the ASA 5500 series adaptive security appliance with Version 7.2.1 software and the AIP SSM module with IPS software 5.1.1.

Network traffic that traverses the adaptive security appliance includes internal users who access the Internet, Internet users who access resources protected by an adaptive security appliance in a demilitarized zone (DMZ), or in an inside network. Network traffic sent to and from the adaptive security appliance is not sent to the IPS module for inspection. Examples of traffic not sent to the IPS module include pinging (through ICMP) of the adaptive security appliance interfaces or Telnetting to the adaptive security appliance.

Inspecting All Traffic with the AIP SSM

This configuration meets the requirement to monitor all traffic. In addition, you must make two decisions about how the ASA 5510 and AIP SSM interact.

•Is the AIP SSM module to be deployed in promiscuous or inline mode?

Promiscuous mode means that a copy of the data is sent to the AIP SSM while the ASA 5510 forwards the original data to the destination. The AIP SSM in promiscuous mode can be considered as an intrusion detection system (IDS). In this mode, the trigger packet that causes the alarm can still reach the destination. Shunning can occur and stop additional packets from reaching the destination; however, the trigger packet is not stopped.

Inline mode means that the ASA 5510 forwards the data to the AIP SSM for inspection. If the data passes AIP SSM inspection, the data returns to the ASA 5510 in order to continue being processed and sent to the destination. The AIP SSM in inline mode can be considered to be an intrusion prevention system (IPS). Unlike promiscuous mode, an inline mode IPS can actually stop the trigger packet from reaching the destination.

•If the ASA 5510 cannot communicate with the AIP SSM, how should the adaptive security appliance handle traffic for inspection?

Examples of instances when the ASA 5510 cannot communicate with the AIP SSM include AIP SSM reloads or whether the module fails and needs replacement. In this case, the adaptive security appliance can fail-open or fail-closed.

Fail-open allows the adaptive security appliance to continue to pass traffic for inspection to the final destination if the AIP SSM cannot be reached. Fail-closed blocks traffic for inspection when the adaptive security appliance cannot communicate with the AIP SSM.

Note Define the traffic for inspection with an access list. In the following example, the access list permits all IP traffic from any source to any destination. Therefore, traffic for inspection can be anything that passes through the adaptive security appliance.

!--- The match any
!--- command can be used in place of the match access-list [access-list name]
!--- command. In this example, access-list traffic_for_ips permits
!--- all traffic. The match any command also
!--- permits all traffic. You can use either configuration.
!--- When you define an access-list, it can ease troubleshooting.

ciscoasa(config)#policy-map global_policy

!--- Note that policy-map global_policy is a part of the
!--- default configuration. In addition, policy-map global_policy is applied
!--- globally using the service-policy command.

!--- The access-list denies traffic from the inside network to the DMZ network
!--- and traffic to the inside network from the DMZ network.
!--- In addition, the service-policy command is applied to the DMZ interface.

The following example shows how to configure the AIP SSM to monitor traffic from the inside network to the outside network, but exclude the inside network to the DMZ network.

Note You must have an intermediate understanding of statefulness, TCP, UDP, ICMP, connection, and connectionless communications to understand the following example.

The access list denies traffic initiated on the inside network destined for the DMZ network. The second access list line permits or sends traffic initiated on the inside network destined for the outside network to the AIP SSM. At this point the statefulness of the adaptive security appliance comes into play.

For example, an internal user initiates a TCP connection (Telnet) to a device on the outside network (router). The user successfully connects to the router and logs in, then issues a router command that is not authorized. The router responds with the message, "Command authorizaton failed." The data packet that contains the message, "Command authorization failed" has the outside router as the source and the inside user as the destination. The source (outside) and destination (inside) do not match the access lists previously defined. The adaptive security appliance keeps track of stateful connections. As a result, the returning data packet (outside to inside) is sent to the AIP SSM for inspection. Custom signature 60000 0 (configured on the AIP SSM) alarms.

Note By default, the adaptive security appliance does not maintain state for the ICMP traffic. In the previous example, the internal user pings (ICMP echo request) the outside router. The router responds with an ICMP echo-reply. The AIP SSM inspects the echo request packet, but not the echo-reply packet. If ICMP inspection is enabled on the adaptive security appliance, both the echo request and echo-reply packets are inspected by the AIP SSM.

Verifying the Recording of Alert Events

To verify that alert events are recorded in the AIP SSM, perform the following steps:

Step 1 Log into the AIP SSM with the administrator user account.

Note The output varies according to signature settings, the type of traffic sent to the AIP SSM, and network load.

In these configurations, several IPS signatures are tuned to alarm on test traffic. Signatures 2000 and 2004 are modified. Custom signature 60000 is added. In a network where little data passes through the adaptive security appliance, you may need to modify signatures in order to trigger events. If the adaptive security appliance and AIP SSM are deployed in an environment that passes a large amount of traffic, the default signature settings will probably generate an event.

Troubleshooting the Configuration

To troubleshoot your configuration, perform the following steps:

The OIT (for registered customers only) supports certain show commands. Use the OIT to view an analysis of show command output.

Step 1 From the ASA 5510, enter these show commands:

a. ï show module—Shows information about the SSM on the adaptive security appliance as well as system information.